diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index be46e849df..1aa0c39997 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,13 +21,14 @@ package ecs // The OS fields contain information about the operating system. type Os struct { - // Categorize the operating system in one of the broad commercial families. + // Use the `os.type` field to categorize the operating system in one of the + // broad commercial families. // One of these following values should be used (lowercase): linux, macos, // unix, windows. - // If the OS is not part of any of these families, the field should not be + // If the OS is not part of any of this list, the field should not be // populated. Please let us know by opening an issue with ECS, to have it // added to the list. - CommercialFamily string `ecs:"commercial_family"` + Type string `ecs:"type"` // Operating system platform (such centos, ubuntu, windows). Platform string `ecs:"platform"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 8b879e684f..26a31f0872 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3853,23 +3853,6 @@ The OS fields contain information about the operating system. // =============================================================== -| os.commercial_family -| Categorize the operating system in one of the broad commercial families. - -One of these following values should be used (lowercase): linux, macos, unix, windows. - -If the OS is not part of any of these families, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. - -type: keyword - - - -example: `macos` - -| extended - -// =============================================================== - | os.family | OS family (such as redhat, debian, freebsd, windows). @@ -3947,6 +3930,23 @@ example: `darwin` // =============================================================== +| os.type +| Use the `os.type` field to categorize the operating system in one of the broad commercial families. + +One of these following values should be used (lowercase): linux, macos, unix, windows. + +If the OS is not part of any of this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. + +type: keyword + + + +example: `macos` + +| extended + +// =============================================================== + | os.version | Operating system version as a raw string. diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 84d603ded7..b0f53ea2db 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2131,20 +2131,6 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2183,6 +2169,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2893,20 +2893,6 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2945,6 +2931,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3012,20 +3012,6 @@ description: The OS fields contain information about the operating system. type: group fields: - - name: commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: family level: extended type: keyword @@ -3064,6 +3050,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5708,20 +5708,6 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -5760,6 +5746,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 92c4eab841..2a67a56a9c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -243,7 +243,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -251,6 +250,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -335,7 +335,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -343,6 +342,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -697,7 +697,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -705,6 +704,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 0ac446c782..4e819397f5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3337,24 +3337,6 @@ host.name: normalize: [] short: Name of the host. type: keyword -host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -3423,6 +3405,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4491,24 +4492,6 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword -observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4577,6 +4560,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8746,24 +8748,6 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: wildcard -user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8832,6 +8816,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0c2b7be9a2..56e8d62558 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4000,25 +4000,6 @@ host: normalize: [] short: Name of the host. type: keyword - host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4087,6 +4068,25 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5272,25 +5272,6 @@ observer: normalize: [] short: Custom name of the observer. type: keyword - observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5359,6 +5340,25 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5499,24 +5499,6 @@ organization: os: description: The OS fields contain information about the operating system. fields: - os.commercial_family: - dashed_name: os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5580,6 +5562,24 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -10080,25 +10080,6 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: wildcard - user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10167,6 +10148,25 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index dfef1b8a91..5247e36816 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1103,10 +1103,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1137,6 +1133,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1562,10 +1562,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1596,6 +1592,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3214,10 +3214,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3248,6 +3244,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 65d74bfe95..3e23c50736 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2174,20 +2174,6 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2228,6 +2214,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2947,20 +2947,6 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -3001,6 +2987,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3069,20 +3069,6 @@ description: The OS fields contain information about the operating system. type: group fields: - - name: commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: family level: extended type: keyword @@ -3123,6 +3109,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5588,20 +5588,6 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -5642,6 +5628,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 77fde23e73..784459a3cc 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -244,7 +244,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -252,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -336,7 +336,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -344,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -662,7 +662,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -670,6 +669,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e960a9b5a2..3978ef88d7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3385,24 +3385,6 @@ host.name: normalize: [] short: Name of the host. type: keyword -host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -3473,6 +3455,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4550,24 +4551,6 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword -observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4638,6 +4621,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8469,24 +8471,6 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: keyword -user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8557,6 +8541,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 286b1d5542..422647f15a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4050,25 +4050,6 @@ host: normalize: [] short: Name of the host. type: keyword - host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4139,6 +4120,25 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5333,25 +5333,6 @@ observer: normalize: [] short: Custom name of the observer. type: keyword - observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5422,6 +5403,25 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5563,24 +5563,6 @@ organization: os: description: The OS fields contain information about the operating system. fields: - os.commercial_family: - dashed_name: os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5646,6 +5628,24 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -9787,25 +9787,6 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: keyword - user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -9876,6 +9857,25 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 1e23304c93..c80ed9eab5 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1135,10 +1135,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1171,6 +1167,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1605,10 +1605,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1641,6 +1637,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3137,10 +3137,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3173,6 +3169,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 15d2828289..2065369a1c 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1134,10 +1134,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1170,6 +1166,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1604,10 +1604,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1640,6 +1636,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3136,10 +3136,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3172,6 +3168,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/os.yml b/schemas/os.yml index 5a704cb10d..07a72dfb49 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -13,16 +13,17 @@ type: group fields: - - name: commercial_family + - name: type level: extended type: keyword short: 'Which commercial OS family (one of: linux, macos, unix or windows).' description: > - Categorize the operating system in one of the broad commercial families. + Use the `os.type` field to categorize the operating system in one of + the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of these families, the field should not be populated. + If the OS is not part of any of this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. example: macos